The communications industry is rapidly changing to adjust to emerging technologies and ever increasing customer demand. This customer demand for new applications and increased performance of existing applications is driving communications network and system providers to employ networks and systems having greater speed and capacity (e.g., greater bandwidth). In trying to achieve these goals, a common approach taken by many communications providers is to use packet switching technology. Increasingly, public and private communications networks are being built and expanded using various packet technologies, such as Internet Protocol (IP).
RFC 2827 describes the need to implement unicast reverse path forwarding to prevent source address forging. There are two known ways for performing this operation. First, static access control lists (ACLs) can be manually created by an operator to specify the source addresses allowed on a particular interface. Major disadvantages of this approach include that different ACLs need to be manually defined for each interface, and these ACLs need to be manually updated to accommodate changes in the network topology to provide proper protection.
A second known approach is to perform two lookup operations on the forwarding information base: one based on the destination to identify a location which to forward the packet and a second lookup operation based on the source address of the packet to identify whether the packet was received on an allowed interface. This approach requires a second lookup operation on the FIB, which either decreases the rate at which packets can be forwarded (as it requires two lookups instead of just one) or it requires additional or duplicated components to perform these two lookup operations in parallel. Moreover, a third lookup operation is typically also performed, this one on a set of predefined ACLs to further identify how to process the packet. Performing all these lookup operations affects the rate at which packets can be processed and/or the amount of hardware and software required to perform such operations.
In one known approach, when unicast reverse path forwarding is enabled on an interface, the router examines all packets received on that interface. The router checks to make sure that the source address appears in the routing table and matches the interface on which the packet was received. This feature checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. The feature does this by doing a reverse lookup in the routing information base based on the source address of the packet. If a corresponding reverse path for the packet is not located, this feature can drop or forward the packet, depending on whether an ACL is specified in a configuration command. If an ACL is specified in the command, then when (and only when) a packet fails the unicast reverse path forwarding check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). If no ACL is specified in the configuration command, the router drops the forged or malformed packet immediately.